I gave Claude SSH access to my server — here's the consent gate that makes it safe

A developer built devops-mcp, a mode-based MCP server that lets AI assistants like Claude Desktop, Cursor, and Windsurf operate Linux servers with restricted permissions. The tool enforces a consent gate for state-changing commands, requiring an out-of-band secret token that the AI never sees, and adds extra confirmation for irreversible operations. It is open-source under MIT license and available on GitHub.

Letting an AI assistant run commands on a real server is genuinely useful — and genuinely terrifying. A model with full shell on a live box can restart the wrong service, deploy onto an in-use port, or docker prune a database volume because nothing told it not to. So I built devops-mcp : a mode-based MCP server that lets AI assistants Claude Desktop, Cursor, Windsurf operate Linux servers — without handing them the keys to the kingdom. The AI can connect, scan, plan, and run read-only diagnostics freely. But every command that changes state on a production-like server passes through a consent gate the AI cannot self-approve — it requires a secret token that's passed out-of-band and that the model literally never sees. | Mode | Allows | Expiry | |---|---|---| | 🟢 SAFE default | Read-only allowlist ~250 verbs | none | | 🟡 PROVISION | Package installs, Docker/Nginx setup | 1 hour | | 🔴 FULL | Root, anything | 30 min | On a server marked production , any write is refused without the token + explicit acknowledgement. And for irrecoverable operations — rm -rf / , dd , mkfs , SQL DROP TABLE , docker volume rm — it additionally makes you confirm a backup exists. $ ... substitutions are validated by their contents, not blanket-escalated.It's TypeScript, MIT-licensed, and works with any MCP client. Setup is four steps the key one: generate your elevation token and save it . ⭐ Repo: https://github.com/MHasnainJafri/devops-mcp https://github.com/MHasnainJafri/devops-mcp I'd love feedback — especially on the threat model and whether the mode boundaries feel right for how you run infra.